Avatar of asPAC
asPAC
 asked on

Server 2003 R2 Google Chrome GPO Deployment

Hello all and thank you for your time.

I am trying to deploy Google Chrome with Group Policy for a particular OU. I have read the books, researched, and even watched walk-through videos on how to accomplish this and still nothing works. I feel as though I have done everything correctly. Here is what I have done:

- On the domain controller, I created a folder on the C drive with the GoogleChromeStandAloneEnterprise.msi and .adm templates in this folder. I have shared this folder and given full control permissions to Everyone and Domain Users

- I then went to Administrative Tools > Group Policy Management and went to the OU that I want to deploy the software to

- I Created a New GPO Policy and went to Edit Policy

- Since I want this to be installed by workstation rather than user and I want this to run in the background, I went to Computer Configuration > Software Settings > Software Installation and did a New > Package

- I typed in the UNC of the installation path and gave it a deployment state of Assigned and under the Delegation tab I gave Domain Users read and write permission

- I did a gpupdate /force on the domain controller and logged off the DC

- I logged onto my test workstation, did a gpupdate /force, rebooted and nothing happens

I have checked the logs on my test workstation to see if there are any failed application installs or things of this nature, and nothing is out of the ordinary. Everything in the logs looks good. I am stumped. Any help would be appreciated. I am probably missing something very simple, but I haven't stumbled upon it yet.

Could it be a "scheduling conflict" with all the other group policies the workstation has to apply? I know the user ID I am logging in with on my test workstation has the ability to install software.

Thanks again for your time. My apologies for the novel.
Windows Server 2003Active DirectoryWindows Networking

Avatar of undefined
Last Comment
asPAC

8/22/2022 - Mon
sarasotamac

Do a gpresult from the command line on the test workstation and you can see if the policy is being applied, should be a good place to start the troubleshooting.
sarasotamac

Based on your novel I'm sure you have already seen this guide, but in case not...
http://support.google.com/a/bin/answer.py?hl=en&answer=187202
asPAC

ASKER
Thank you for your quick response. I did a gpresult on the test workstation and it does in fact say under "Applied Group Policy Objects" that the Google Chrome Group Policy is being applied.

As for the Google support page; I have already seen that. But I don't know where to run this command from: Msiexec /q /I GoogleChrome.msi. Do I run that logged into the machine or do I attach that command somewhere in the settings in Group Policy? When I run the command logged into the machine, nothing happens.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
gmbaxter

Do you have a "wait for network at startup" setting in a GPO? I always specify this as the workstation will wait until the network is fully connected before showing the login window - this should also make your software deployment more reliable.
CSI-Windows_com

If GPO says that it is triggering it, it may be an MSI problem.

Follow the instructions in this article: https://www.experts-exchange.com/Programming/Installation/A_5177-Installation-Logging-How-To-Create-a-Verbose-Windows-Installer-Log-and-Submit-it-With-Your-Question-Including-MSIs-That-are-INSIDE-Setup-exes.html

If you are unable to read the log and figure out what is going wrong, then zip and upload the log and I will try to give you a hand.

D.
gmbaxter

You could try running msiexec on a workstation to eliminate the msi file as the problem:

msiexec.exe /i package.msi /q
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
McKnife

Hi.

Based on your description, you leave room for questions:
> I have shared this folder and given full control permissions to Everyone and Domain Users
...only share permissions modified? You need to modify both share and ntfs perms to everyone: read for a test.
> I then went to Administrative Tools > Group Policy Management and went to the OU that I want to deploy the software to
...fine, but what is inside that OU? You have to deploy it to computer objects, not users.
> - I typed in the UNC of the installation path and gave it a deployment state of Assigned and under the Delegation tab I gave Domain Users read and write permission
... and this could be your error. You want a deployment to computers but you only give domain users access rights to the package... You need to grant access for the group "domain computers" as well, or to the group "authenticated users" or everyone group, even.

Please note that if this were indeed your error, gpresult would not take note of it.

> Everything in the logs looks good.
...Please tell us what you see inside the log that's connected to this installation.
asPAC

ASKER
Thank you all for the responses. Please pardon the lack of response on my part. I was on the holiday vacation. I will try all your fixes and report back with what I find and award points accordingly. I hope you all had a great holiday weekend.
asPAC

ASKER
@Gmbaxter - I checked to see if the Group Policy setting you told me about was Enabled and sure enough it was on every level. Also, I ran that command on a test workstation and nothing happened. I checked the logs and it says that Windows Installer started and was running, then ten minutes later is said Windows Installer finished and nothing changed.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
asPAC

ASKER
@CSI-Windows_com - I will enable the logging and get an attached file up as soon as possible.
asPAC

ASKER
@McKnife - I have done everything you suggested in your comment. I have added Domain Computers to anything with a security tab as well as double checking all permissions you stated. Everything looks good. I will submit the logs after I get a detailed one created.
asPAC

ASKER
I figured out that my issue was not removing Authenticated Users and Domain Users from the Security Filter section in the GPO. Having only Domain Computers in there got Chrome to deploy, however, I now get an error during the install. It says the file can't be accessed and there was a fatal error. Any ideas?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
CSI-Windows_com

Please upload a Windows Installer log and I can help you much more effectively.
asPAC

ASKER
@CSI-Windows_com - Here is the log you requested. Thanks again for all your help.
GoogleChromeInstall.log
CSI-Windows_com

Apparently this log was not generated by a group policy execution and did not use the .REG file in the article that I pointed you to.

The error blocking you with this specific log is:

Error 1925. You do not have sufficient privileges to complete this installation for all users of the machine.  Log on as administrator and then retry this installation.

Open in new window


That would not occur under a group policy deployment.

Also the calling process is msiexec.exe and it should be appmgmt.dll or explorer.exe for a group policy execution.

Could you please configure the machine with the registry key cited in the article and then attempt your group policy deployment scenario and collect the log (probably from c:\windows\temp)

Thanks.
Your help has saved me hundreds of hours of internet surfing.
fblack61
asPAC

ASKER
Yep that was my mistake. I used the logging from command line section.

I downloaded your registry ON file and applied it under an administrator account on our test machine. I did a gpudate /force on the test machine and rebooted. During bootup, I saw it try and install Google Chrome. When went to find the MSI log, it was no where to be found. I searched in every profile's temp folder and found nothing.

I read the part in your tutorial about reasons why I couldn't find one, but I have a question. Should I be running the REG files from the login script or just merging them with an administrator account and then rebooting?
CSI-Windows_com

The .REG is changing HKLM\Software registry keys, so if it is run under a user who is not a FULLY elevated admin (Standard User or Protected Admin) it will not merge properly.

Best to do it manually via an admin login.

Also make sure your company does not already have an MSI Logging policy that blanks out the MSI logging policy.  The easiest way to check would be to look at the registry key touched by the .REG file after running gpupdate.
asPAC

ASKER
I'm an idiot. I was looking for the log files from specific user's temp folder while the log files resided in WINDOWS\temp.

Here are the log files regarding anything Google Chrome.

I appreciate your patience and your help. My apologies for being such a newbie at GPO/AD related tasks.
MSI1a90c.LOG
MSIf956.LOG
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
CSI-Windows_com

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
asPAC

ASKER
Hi CSI-Windows_com,

Sorry for being slow to respond. Let me answer your questions before asking mine.

1) No, Chrome is not already installed on this computer

2) I have manually tried installing Google Chrome on this machine and it works just fine. We are just trying to automate the install because we have 150+ machines.

3) I have also tried more that one machine as my "test" machine. I obtain the same results across the board.

I believe that you are correct that the AutoUpdate may be the problem. The file you attached, how do I add that to the install? Also, when I save the file you attached and I open it, I see symbols and what not. Should I be seeing this?
asPAC

ASKER
Could a reason be that a firewall rule needs to be created to allow the GoogleUpdate to go through in order for the software to install?
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
asPAC

ASKER
CSI-Windows_com:

The transform you sent me did not work, so I am trying to make one myself. The weird thing is that I created a GPO to update Java the exact same way I created the GPO to install Google Chrome. I have tested the Java update and it worked, but still the Google Chrome gives me the same errors in the logs. I'm wondering if the problem is the .msi that I downloaded from Google? I have updated the .msi that I am using in the GPO and get the same results. I'm about to throw in the towel and just walk around to the 30 workstations and manually install Google Chrome. But I know that not being able to figure this out will consume my life. So I'm at a crossroads...
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes